(In reply to comment #2)
> 48913 has a proposed patch. I'll look at committing it today.
>
> *** This bug has been marked as a duplicate of bug 48913 ***
Didn't see this until I had committed my patch. The patch in 48913 doesn't seem to capture the changeSessionId use case. But both patches do the same thing

Filip,
Your change doesn't actually do exactly what you think it does.
Your code - below - Response.java, line 992:
for (int i = 0; i < n; i++) {
if (headers.getName(i).toString().equals(headername)) {
if (headers.getValue(i).toString().startsWith(startsWith)) {
--> headers.setValue(sb.toString());
set = true;
}
}
}
Yes, setValue(contents) appears to be a logical call... however, that call is actually setValue(name), and the returned contents are meant to be the reference to the header (to which you can then add the value).
The result of that call is to add a header named, say:
JSESSIONID=54EDEDA814975EB485C2D9D660346717; Domain=.domain.com; Path=/
This doesn't actually appear to result in any additional response header (presumably because the format was invalid, or the value was never set), and it doesn't change the value of the existing Set-Cookie header. The following code appears to work fine instead:
for (int i = 0; i < n; i++) {
if (headers.getName(i).toString().equals(headername)) {
if (headers.getValue(i).toString().startsWith(startsWith)) {
--> headers.getValue(i).setString(sb.toString());
set = true;
}
}
}
Note that you could probably optimise this (and avoid the set=true / later addHeader() call by calling instead:
headers.setValue(name).setString(sb.toString())
This is proving to be critical to us (we manually invalidate sessions first time around when we haven't seen them before - to guard against sessions being presented from search engines), and we currently end up in an invalidation loop as the second JSESSIONID is never actually presented back to the browser.

This is ASF Bugzilla: the Apache Software Foundation bug system. In case
of problems with the functioning of ASF Bugzilla, please contact
bugzilla-admin@apache.org.
Please Note: this e-mail address is only for reporting problems
with ASF Bugzilla. Mail about any other subject will be silently
ignored.